Looking Into a Crystal Ball for the Future of Cybersecurity

Every once in a while you need to take a step back, and think about the future. Where’s a good place to look for high risk, high opportunity ideas in the future of computer security? New Security Paradigms Workshop (NSPW) is a crystal ball view into the future of cybersecurity. NSPW is an invitation only workshop dedicated to in-depth discussions of radical forward thinking in security research. Here are highlights from a handful of presentations that pursue areas that might be evocative or inspirational to the broader Cisco security community.

Milware: Identification and Implications of State Authored Malicious Software is a research effort that starts with looking to establish a technical basis for distinction between mal- and milware. The authors evaluated and reverse engineered sample malicious software to establish an initial set of criteria that consistently distinguishes the samples identified as state or non-state authored. These are:

Potential additions to the criteria include code reuse, design metrics (e.g. cyclomatic complexity), measures of modularity, and current trends in targeting trust infrastructure.

What might be the policy implications of being able to differentiate early in the detect/respond lifecycle? Would a victim respond differently if it could be determined if the attack is mil vs mal ware? If, as a victim, you know that attacker had no concern if the attack was brought to light? If they were not subject to the existing set of legal tools? If they have brought state level resources to bear on the attack?

Another paper that looks at the potential impact of international politics on security was Peace vs. Privacy: Leveraging Conflicting Jurisdictions for Email Security. The authors take the assumption of perpetual hostility to build a foundation for security (talk about a new paradigm) where cloud-based service providers in conflicting jurisdictions are used to separate key and encrypted content transmission and storage. Their email prototype does not require creation of keying materials before receiving confidential email. The only prerequisite is that the sender and receiver are following each other on Twitter.

Exploiting the Physical Environment for Securing the Internet of Things continues in an area that uses randomness provided by the physical environment to build security solutions. For example, using the shared entropy in ambient audio, luminosity modalities or electromagnetic emanations to build context based solutions. They take this approach with a key establishment system, deriving a shared secret on resource-constrained devices with a tight power budget, coupled with a rigorous security analysis. What sorts of IoT context and uses cases might benefit from this? Hospitals? Tanks?

Several papers explore the territory of security decision-making. “If you were attacked, you’d be sorry”: Counterfactuals as security arguments explores the argumentation side of security decision-making. This early-days work is aiming at a structure to help decision makers properly integrate “what-if” scenarios, which can be a huge challenge to appropriately take account of. These scenarios are complicated by rare events with catastrophic consequences, active adversaries, questionably appropriate countermeasures (based on values or context), and countermeasures that reduce some and increase other risks. I’m hoping the authors get to the point where they produce a framework that can be tried out on some security business decisions.

Examining the Contribution of Critical Visualisation to Information Security applies LEGO to visualization of security facts, figures, and values, to do user-led risk assessment. Their case study was the design of a micro-payment service to be delivered using Internet-Protocol TV for low-income families to make payments and manage money, using television as an interface. The LEGO artifact was utterly engaging; I wanted to try it out!

The rest of the papers can be seen through the usable security lens, a topic near and dear to my heart. Developers, administrators, employees and end users, and their relationship to security, all get some airtime. Interested in learning more? Proceedings with the final papers on all of these are due out in November.

Hi Nir, in the context of the paper, the term "milware" refers to malware authored by a nation state (or their delegate). The researchers are looking for exactly that; ways to determine if and how malware from state actors is different from malware from other places. They have an initial set of criteria that works for their sample so far.

Hi Mary Ellen,
I'm interested in the topic of how component failures or faults can lead to security vulnerability. The latest example is Google's exploitation of a DRAM row hammer condition to gain access to privileged memory. Is there a forum to discuss other IC fault mechanisms and their impact on security?
Thanks,
Charlie

Hi Charlie, I'm not aware of any forum quite like that. You might try searching scholar.google.com for Fault Injection Attacks to try to get a sense of where those discussions happen in research (looks like dependability and crypto forums at a glance).

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.